Configuring Postfix with Yandex.ru relay in Ubuntu 16.04

Today I read that Postfix can be better than sendmail and found a great Russian article on how to configure Postfix to work with Yandex.ru relay (Yandex.ru is some kind of Russian Google). The only notice I would give is that in a Docker container I need also install rsyslog, otherwise /var/log/mail.log file is not created:

apt install rsyslog

After doing all the steps described in this Russian manual I was able to send email to Yandex.ru and GMail accounts, but GMail landed all the emails to its spam folder. My first idea was that it is because I did not configure ‘from address’ correctly, so I had the following in /var/log/mail.log, and also there was a message ‘Cannot assign requested address‘:

Oct 27 11:36:19 0675c97b78aa postfix/pickup[1210]: 8C7ECE5B72: uid=0 from=<root>
Oct 27 11:36:19 0675c97b78aa postfix/cleanup[10786]: 8C7ECE5B72: message-id=<20171027113619.8C7ECE5B72@0675c97b78aa.localdomain>
Oct 27 11:36:19 0675c97b78aa postfix/qmgr[1211]: 8C7ECE5B72: from=<root@0675c97b78aa.localdomain>, size=405, nrcpt=2 (queue active)
Oct 27 11:36:19 0675c97b78aa postfix/smtp[10788]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c09::1b]:25: Cannot assign requested address
...

And email header in GMail inbox contained ‘localdomain address’:

Delivered-To: XXX@gmail.com
Received: by 10.140.31.202 with SMTP id f68csp695216qgf;
        Fri, 27 Oct 2017 05:36:19 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+SPxJH1fvDe5DxZGgsIPrnRQ5rdKvPFwmtp/1PyMOrXhWHACL9pJuXT5zkeg6VMVO3aZjjo
X-Received: by 10.28.29.205 with SMTP id d196mr289662wmd.106.1509107779712;
        Fri, 27 Oct 2017 05:36:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1509107779; cv=none;
        d=google.com; s=arc-20160816;
        b=NnCuAUnD+CiRi6XultIHywjeAKILSesvG/eDeYyPPaiOW9lTTKv4Swjjthg7JkGPZV
         qfIGkgcXJqWwGuq5ASEHBcRze7dNIebeXzmf9ilUi5Go0cgBEieAaoM6KfCSswiuIvrl
         rzACAMRx7iL2RKay/Mi1cdmLHEuycUviG4VjXgXnDwrhEXKuRY1nCq/oW89jb5wzj6P9
         adLk/oPjcjtkWVvudP3BGGMxGqo/FyN3PcipEutle0yuMdOWcD760MYE8jc1T9rR/WvD
         jKDLrBJDRn9glW9H+b+Tt6Lx/bMlmJbjyO+n+dw968mFv5KiA9wpvWjksUVzpW9tmjOm
         pu6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=date:message-id:from:to:subject:arc-authentication-results;
        bh=ajrpRrolctsK5lgNWSV5xRWP0kftGtNg0KDcEqeY694=;
        b=PQlFhKmnf2/vZR4Vp9PeZg/i9yLth3IfK7k6IusYrG0FqpDruyJi4dsJntm7nAunVj
         yJYeaiu/OOm2ENSIKJbgiFpi2kGV4hoDIzJRmawIY5xFmELo7HJU0F8jBcwB6t22Dpu2
         itNlA/BNY+wp/rYrXDx1Yz36lNGgaxLgIl7h6FlvbDmT0itqBaOfadUzkSWTW/5VGxjc
         J5edh6HBNQ45Y9y1l0LSTYKl8NPeisASn8IEh00CX566M4+/YkKy9NBG0pFB/jh6CY1z
         rZyXa3lV0u9UzdcqSZemwdWTbiWGPHFhkIgNZha3cb4TJsjHvaPYfrrYkiq2TPrbq1/E
         FcNA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 139.162.243.103 is neither permitted nor denied by best guess record for domain of root@0675c97b78aa.localdomain) smtp.mailfrom=root@0675c97b78aa.localdomain;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Return-Path: <root@0675c97b78aa.localdomain>
Received: from 0675c97b78aa.localdomain (li1528-103.members.linode.com. [139.162.243.103])
        by mx.google.com with ESMTP id r13si5494659wrg.374.2017.10.27.05.36.19
        for <XXX@gmail.com>;
        Fri, 27 Oct 2017 05:36:19 -0700 (PDT)
Received-SPF: neutral (google.com: 139.162.243.103 is neither permitted nor denied by best guess record for domain of root@0675c97b78aa.localdomain) client-ip=139.162.243.103;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 139.162.243.103 is neither permitted nor denied by best guess record for domain of root@0675c97b78aa.localdomain) smtp.mailfrom=root@0675c97b78aa.localdomain;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Received: by 0675c97b78aa.localdomain (Postfix, from userid 0) id 5F04FE5B72; Fri, 27 Oct 2017 12:36:19 +0000 (UTC)
Subject: test mail to Some Address!
To: Me <XXX@gmail.com>
From: Vasya <XXX@yandex.ru>
Message-Id: <20171027123619.5F04FE5B72@0675c97b78aa.localdomain>
Date: Fri, 27 Oct 2017 12:36:19 +0000 (UTC)

first line of my message

In Yandex.ru inbox:

Received: from mxfront12g.mail.yandex.net ([127.0.0.1])
	by mxfront12g.mail.yandex.net with LMTP id g8Rq5bAq;
	Fri, 27 Oct 2017 14:32:30 +0300
Received: from li1528-103.members.linode.com (li1528-103.members.linode.com [139.162.243.103])
	by mxfront12g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id IIHHej4nOp-WTZOkxWK;
	Fri, 27 Oct 2017 14:32:29 +0300
Return-Path: root@0675c97b78aa.localdomain
X-Yandex-Front: mxfront12g.mail.yandex.net
X-Yandex-TimeMark: 1509103949
X-Yandex-Spam: 1
Received: by 0675c97b78aa.localdomain (Postfix, from userid 0)
	id D354BE5B72; Fri, 27 Oct 2017 11:32:28 +0000 (UTC)
To: XXX@yandex.ru
Subject: My subject 1
X-PHP-Originating-Script: 1000:send.php
From: XXX@gmail.com
CC: XXX@yandex.ru
Message-Id: <20171027113228.D354BE5B72@0675c97b78aa.localdomain>
Date: Fri, 27 Oct 2017 11:32:28 +0000 (UTC)
X-Yandex-Forward: 83938fd9893ad788cf792ddfa68a0e0a
X-Yandex-Forward: a8c50329ae5e4eaa440a48a9e2df76be

First line of text
Second line of text

I tried the following links, but with no success yet:

  1. Postfix masquerading or changing outgoing SMTP email or mail address
  2. How to change default root@ email address linux / postfix / centos?
  3. Generic mapping for outgoing SMTP mail
  4. myhostname in /etc/postfix/main.cf
  5. How to Setup WordPress with LAMP + Postfix as Send-Only Mail Notifications on VPS Server
  6. How To Install and Configure Postfix as a Send-Only SMTP Server on Ubuntu 14.04
  7. Enabling SASL authentication in the Postfix SMTP/LMTP client

Google spam filter is still filtering the messages out.

To remove sendmail I did this:

apt-get remove --auto-remove sendmail*
apt-get purge --auto-remove sendmail*

One year later (on October 18, 2018) I realized that the information provided above is not quite correct, because postfix sends mail via yandex.ru only if sendmail is run with -f option like this:

/usr/sbin/sendmail -t -f username1@yandex.ru -i -v < body.txt

where body.txt contains

Subject: test mail to My Address!
From: Me <username2@gmail.com>
To: Vasya <username1@yandex.ru>
Firt line of my message 1

This makes postfix really use yandex.ru but it connects to port 25:

Oct 18 09:18:36 localhost postfix/pickup[12794]: 8634C13FAC1: uid=1000 from=<username1@yandex.ru>
Oct 18 09:18:36 localhost postfix/cleanup[20334]: 8634C13FAC1: message-id=<20181018091836.8634C13FAC1@localhost.localdomain>
Oct 18 09:18:36 localhost postfix/qmgr[12795]: 8634C13FAC1: from=<username1@yandex.ru>, size=353, nrcpt=1 (queue active)
Oct 18 09:18:36 localhost postfix/smtp[20336]: 8634C13FAC1: to=<username1@yandex.ru>, relay=smtp.yandex.ru[77.88.21.38]:25, delay=0.41, delays=0.01/0.01/0.34/0.05, dsn=5.5.4, status=bounced (host smtp.yandex.ru[77.88.21.38] said: 503 5.5.4 Error: send AUTH command first. (in reply to MAIL FROM command))
Oct 18 09:18:37 localhost postfix/cleanup[20334]: 1A6BA140184: message-id=<20181018091837.1A6BA140184@localhost.localdomain>
Oct 18 09:18:37 localhost postfix/qmgr[12795]: 1A6BA140184: from=<>, size=2424, nrcpt=1 (queue active)
Oct 18 09:18:37 localhost postfix/bounce[20337]: 8634C13FAC1: sender non-delivery notification: 1A6BA140184
Oct 18 09:18:37 localhost postfix/cleanup[20334]: 1B56413F811: message-id=<20181018091837.1B56413F811@localhost.localdomain>
Oct 18 09:18:37 localhost postfix/qmgr[12795]: 1B56413F811: from=<>, size=2195, nrcpt=1 (queue active)
Oct 18 09:18:37 localhost postfix/bounce[20338]: 8634C13FAC1: sender delivery status notification: 1B56413F811
Oct 18 09:18:37 localhost postfix/qmgr[12795]: 8634C13FAC1: removed
Oct 18 09:18:38 localhost postfix/smtp[20336]: 1A6BA140184: to=<username1@yandex.ru>, relay=mx.yandex.ru[2a02:6b8::89]:25, delay=1.2, delays=0/0/0.24/0.95, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued on mxfront2j.mail.yandex.net as 1539854318-7qirx3cq9t-IbFaJ8Db)
Oct 18 09:18:38 localhost postfix/qmgr[12795]: 1A6BA140184: removed
Oct 18 09:18:38 localhost postfix/smtp[20339]: 1B56413F811: to=<username1@yandex.ru>, relay=mx.yandex.ru[93.158.134.89]:25, delay=1.3, delays=0/0.01/0.3/1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued on mxfront8j.mail.yandex.net as 1539854318-SBx7LC1MXf-IbiG2Owr)
Oct 18 09:18:38 localhost postfix/qmgr[12795]: 1B56413F811: removed

To make it connect to port 465 I installed stunnel:

sudo apt install stunnel
sudo nano /etc/stunnel/yandex.conf
[smtp]
client = yes
accept = 127.0.0.1:25025
connect = smtp.yandex.ru:465
sudo nano /etc/default/stunnel4
# Change to one to enable stunnel automatic startup
ENABLED=1
sudo service stunnel4 restart
telnet localhost 25025
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 smtp4j.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
sudo nano /etc/postfix/main.cf
relayhost = localhost:25025
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/private/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_sasl_mechanism_filter = login
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/private/sender_relay
sender_canonical_maps = hash:/etc/postfix/private/canonical
compatibility_level=2
sudo service postfix restart

and something strange started to happen:

Oct 18 09:57:14 localhost postfix/pickup[22171]: 2207213FB7D: uid=1000 from=<username1@yandex.ru>
Oct 18 09:57:14 localhost postfix/cleanup[22218]: 2207213FB7D: message-id=<20181018095714.2207213FB7D@localhost.localdomain>
Oct 18 09:57:14 localhost postfix/qmgr[22172]: 2207213FB7D: from=<username1@yandex.ru>, size=353, nrcpt=1 (queue active)
Oct 18 09:57:14 localhost postfix/smtp[22220]: 2207213FB7D: to=<username1@yandex.ru>, relay=smtp.yandex.ru[213.180.193.38]:25, delay=0.42, delays=0.01/0.01/0.35/0.05, dsn=5.5.4, status=bounced (host smtp.yandex.ru[213.180.193.38] said: 503 5.5.4 Error: send AUTH command first. (in reply to MAIL FROM command))
Oct 18 09:57:14 localhost postfix/cleanup[22218]: AD7C01412AB: message-id=<20181018095714.AD7C01412AB@localhost.localdomain>
Oct 18 09:57:14 localhost postfix/qmgr[22172]: AD7C01412AB: from=<>, size=2427, nrcpt=1 (queue active)
Oct 18 09:57:14 localhost postfix/bounce[22221]: 2207213FB7D: sender non-delivery notification: AD7C01412AB
Oct 18 09:57:14 localhost postfix/cleanup[22218]: AE53F13FB7C: message-id=<20181018095714.AE53F13FB7C@localhost.localdomain>
Oct 18 09:57:14 localhost postfix/qmgr[22172]: AE53F13FB7C: from=<>, size=2201, nrcpt=1 (queue active)
Oct 18 09:57:14 localhost postfix/bounce[22222]: 2207213FB7D: sender delivery status notification: AE53F13FB7C
Oct 18 09:57:14 localhost postfix/qmgr[22172]: 2207213FB7D: removed
Oct 18 09:57:15 localhost postfix/smtp[22224]: AE53F13FB7C: to=<username1@yandex.ru>, relay=localhost[127.0.0.1]:25025, delay=0.39, delays=0/0.01/0.33/0.06, dsn=5.5.4, status=bounced (host localhost[127.0.0.1] said: 503 5.5.4 Error: send AUTH command first. (in reply to MAIL FROM command))
Oct 18 09:57:15 localhost postfix/smtp[22220]: AD7C01412AB: to=<username1@yandex.ru>, relay=localhost[127.0.0.1]:25025, delay=0.43, delays=0/0/0.38/0.05, dsn=5.5.4, status=bounced (host localhost[127.0.0.1] said: 503 5.5.4 Error: send AUTH command first. (in reply to MAIL FROM command))
Oct 18 09:57:15 localhost postfix/qmgr[22172]: AE53F13FB7C: removed
Oct 18 09:57:15 localhost postfix/qmgr[22172]: AD7C01412AB: removed

Installing sasl2 does not have an effect:

sudo apt install sasl2-bin
sudo service postfix restart

So I tried another alternative without stunnel:

First I got the certificate from Yandex with the following command:

openssl s_client -starttls smtp -crlf -connect smtp.yandex.ru:25
-----BEGIN CERTIFICATE-----
MIIGazCCBVOgAwIBAgIQcUU9mJXW4OUs5Gf0JfLtsjANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJSVTETMBEGA1UEChMKWWFuZGV4IExMQzEnMCUGA1UECxMeWWFu
ZGV4IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQDEwlZYW5kZXggQ0Ew
HhcNMTcxMDExMTMyNzI2WhcNMTkxMDExMTMyNzI2WjB3MQswCQYDVQQGEwJSVTET
MBEGA1UECgwKWWFuZGV4IExMQzEMMAoGA1UECwwDSVRPMQ8wDQYDVQQHDAZNb3Nj
b3cxGzAZBgNVBAgMElJ1c3NpYW4gRmVkZXJhdGlvbjEXMBUGA1UEAwwOc210cC55
YW5kZXgucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTI5WsplxQ
g7gZDCEmnbxHI0a0/cXtx0+Zwz7Y9TSFy0NI/SzYC+bgukWvsnvuIheM3yKpJ+cU
Ss2G+K3nKOYDNJUezzziirhu3UVC/tZLD39orKKGAa6qmx5Dv2Z7/ynkOfKZjmXB
t9HemoCItyM62YTD8AQQmkMCB4Kue+j2wm8fHxPtgIYuQzEtD9xCU9vANj6imgaM
IlrM0cegknd6sWBDR074pDsBEUjg2GsNSqAo2nD0tvOGCFZ2qkIMLIjZgsCmtain
nM7Xt+THw8ApMu9BVsgTyXMTfVC0CzfB1HbId1UzqIbILprB3iLrxCHn3K1F68ok
WfBXBDY4gphTAgMBAAGjggMJMIIDBTAMBgNVHRMBAf8EAjAAMGkGA1UdHwRiMGAw
L6AtoCuGKWh0dHA6Ly9jcmxzLnlhbmRleC5uZXQvY2VydHVtL3ljYXNoYTIuY3Js
MC2gK6AphidodHRwOi8veWFuZGV4LmNybC5jZXJ0dW0ucGwveWNhc2hhMi5jcmww
cQYIKwYBBQUHAQEEZTBjMCwGCCsGAQUFBzABhiBodHRwOi8veWFuZGV4Lm9jc3At
cmVzcG9uZGVyLmNvbTAzBggrBgEFBQcwAoYnaHR0cDovL3JlcG9zaXRvcnkuY2Vy
dHVtLnBsL3ljYXNoYTIuY2VyMB8GA1UdIwQYMBaAFDdc4xngso6hqE7Sz6vQ3OML
XDVNMB0GA1UdDgQWBBTC1Kbatmr8y04cui/VCaPVq1mgKzAOBgNVHQ8BAf8EBAMC
BaAwggEXBgNVHSAEggEOMIIBCjCCAQYGDCqEaAGG9ncCBQEKAjCB9TCB8gYIKwYB
BQUHAgIwgeUwIBYZVW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjADAgECGoHAVXNh
Z2Ugb2YgdGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdHJpY3RseSBzdWJqZWN0ZWQgdG8g
dGhlIENFUlRVTSBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BT
KSBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhlcmVpbiBhbmQgaW4gdGhlIHJl
cG9zaXRvcnkgYXQgaHR0cHM6Ly93d3cuY2VydHVtLnBsL3JlcG9zaXRvcnkuMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMCBsAw
egYDVR0RBHMwcYIOc210cC55YW5kZXgucnWCDnNtdHAueWFuZGV4LmJ5gg5zbXRw
LnlhbmRleC5reoIPc210cC55YW5kZXguY29tgg5zbXRwLnlhbmRleC51YYISc210
cC55YW5kZXguY29tLnRyggpzbXRwLnlhLnJ1MA0GCSqGSIb3DQEBCwUAA4IBAQA1
GjyKSYMgaRVLGd4EWtB3oTkybDu5QrUXt/eoZiquzUqZwk7x9FRsEEirawKsrSS6
FXcliRD7xcXneROVDZK1a4ur6974vn742B/lOx9T/7+6a8XQo4jz191zZWS3J47G
dSvkMZPSdsZPxn7cDbAymFP4yw3b/aJJBFarpYTUixvRXZardO93VAFx157pCt/8
3dN7jLWyYVWBvZh93JioukAu9uDt7Nzuq9XhTBLUzLnFFi4vXVsssKk7h3X2sMNU
kZ3EPMAOSsvl9XY5RHZJs7BZubvGgnDxxGFfziP1XnTbL4MRCAXbdhwx3nmnQ3yZ
nRG0DfdqYIuPGApFORYe
-----END CERTIFICATE-----

and saved it as /etc/postfix/private/yandex.crt.

In /etc/postfix/private/sasl_passwd:

[smtp.yandex.com]:587   username1@yandex.ru:**********
postmap sasl_passwd

In /etc/postfix/main.cf:

relayhost = [smtp.yandex.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/private/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/postfix/private/yandex.crt
compatibility_level=2

and it started to work somehow.

1 Response to Configuring Postfix with Yandex.ru relay in Ubuntu 16.04

  1. dmitriano says:

    When I change my mail password I update `/etc/postfix/private/sasl_passwd` and generate `sasl_passwd.db` with `postmap sasl_passwd` command. If the password is incorrect I can see the following messages with `tail -n 100 mail.log` command:

    Jun 12 17:31:38 localhost postfix/smtp[583]: 420816796: SASL authentication failed; server smtp.yandex.com[77.88.21.158] said: 535 5.7.8 Error: authentication failed: Invalid user or password!

Leave a Reply

Your email address will not be published. Required fields are marked *